Sending On Behalf Of Others:
Sub-Domain Delegation With CNAMEs
This article expands on the "CNAMEs" approach described in the larger How to send DMARC-compliant email on behalf of others article. An assumption is that the reader is sending email on behalf of others, and desires to send such email in a manner compliant with DMARC.
CNAME-based delegation is when a domain owner creates several CNAMEs that point back to your own domain. In contrast with full sub-domain delegation, individual services are delegated by each CNAME. By doing so, any DNS-based questions regarding any CNAME will be referred to your own domain for resolution. Additional explanations and examples of using CNAMEs to perform delegation:
- AmazonSES's guide to using CNAMEs to enabler DKIM signing
- Mailchimp's blog about using CNAMEs for custom Return-Path addresses
- Pardot's article on using a CNAME to configure a Tracker subdomain
Utilizing CNAME-based delegations is as simple as sending email as you usually do, except you'll be able to:
- Send email using the domain-owner/customer's top-level domain in email From: headers. The CNAMEs provide DMARC-compliant authentication using SPF and DKIM when DMARC's default "alignment mode" of "relaxed" is used.
- Send and receive email using the CNAMEs by using CNAMEs in RFC5321.MailFrom addresses (also known as bounce/return-path/envelope addresses) and by accepting CNAME-addressed email through your existing email infrastructure (so that people on the Internet can send email that is destined for the CNAME-addressed domain).
- By directly managing the CNAME'd sub-domain, you can publish and maintain a concise and accurate SPF record for the sub-domain that only authorizes servers that you control. You will avoid having to deal with other people's SPF records and the resulting confusion.
- By directly managing CNAME'd DKIM public key records, you can manage DKIM signing however you wish. You can create as many DKIM signing keys as you have CNAME'd records for, rotate them as you see fit, and avoid having to figure out how to communicate/manage keys with your customer/domain-owner.
This form of delegation benefits the domain-owner/customer as relatively easy to set up, no further configuration is necessary, and maintenance of CNAMEs can be easily managed.
This form of delegation benefits you – the one sending email on behalf of others – by giving you control over how you send email and maintain your infrastructure. If you move servers, rotate DKIM keys, or swap out infrastructure, the domain-owner (your customer) doesn't have to change anything.